ILOVEYOU

Very similar to the Melissa virus from 1999. This virus appears to have started on May 4, 2000. Sending itself to 100% of people in a person's Outlook address book. It is extremely widespread and has gone world wide in a matter of hours. Initial reports are that it originated from Asia, maybe the Middle East.

Just another example of why Outlook sucks. And makes every person that has been using e-mail from pre-outlook days wonder why Microsoft had to force this vile program onto the masses.

If you haven't heard of it yet, you soon will. I'm sure The Media will have a field day with this. It will probably be all we hear about for the next 48 hours. Oh Boy, I can hardly wait.

More info: it apparently has a nasty payload too. It messes with MIRC to replicate itself further. It traverses your drives and copies itself over any JPEGs, MP3s, javascript files, and more.

Even more: It copies itself to your system directory and to your windows (or winNT) directory. It then adds entries into the registry to start these up when you reboot. It then attempts to download the file WIN-BUGSFIX.exe from one of 4 random places if you have the file WinFAT32.exe. It copies itself over any vbs, vbe, js, jse, css, wsh, sct, or hta files changes the extenstion to vbs if it wasn't already. It also overwrites any jpg or jpeg files and renames them to the same thing appending the extenstion vbs. If it finds any mp3 files it creates a new file by the same name with a vbs extenstion, this new file is a copy of itself. If you have MIRC it modifies the script.ini file to send itself to people. It appears that when you join a channel it will send itself to anybody in that channel. It also does some other things with the registary that I'm not to sure about. Kurt "The Pope" has a writeup on it, but his website was /.ed before I could read it. Also the source code is now widely available since the programmer didn't do anything to try to hide it. Acording to the first 2 lines of it this virus came from Manila, Philippines by somebody going by the nick spyder.

I know this is an incomplete description I do not know VBScript nor MIRC very well.

User sees attached wibble.doc and opens it in StarOffice/WordPerfect/??

Virus is lucky and has a compatible payload - DocOpen event is triggered and the script runs.

Virus is lucky and the script environment actually supports the ability to run other programs.

Virus checks out the platform it's running on (OS, desktop environment, wordprocessor, network access, etc) and decides on best way of replicating.

Virus constructs new virus based on this information.

Virus searches for regexs that look like mail addresses in files under $HOME and mails the new virus out.

Virus dumps some nice, quiet start up scripts in the user's rc files. These start very quiet background processes that poll for access to the internet and open an IRC connection if possible. Ideally the virus can use PERL for this...

The first mistake in design is that a mail client allows you to execute a random piece of code that you got from the net.
The designers should have asked themselves: Is this really a typical user activity ? or Is this a security hole that someone will exploit ? which basically means "Should this be made convenient like renaming a file or inconvenient like formatting a hard disk ?" - my take would obviously be "inconvenient as hell, and maybe more".

The second mistake is in user interface design: the interface should make forcefully clear that what you are going to do is FUCKING DANGEROUS. The mild mannered Windows warning dialog, with its lengthy chat, just does not cut it.

The third mistake lies in user training. It is assumed that users will understand what they do, but in reality they do not. I see it all the time: the project I work in has some fairly large mailing lists, used by absolute beginners.
They get a Word document from someone who has just graduated from chalk+blackboard to a keyboard, and cheerfully open and run the macros. And then forward the infected documents to the rest of the list.

This combination of bad design, bad UI and bad training is the niche where the virus thrives.

Consider a virus that is a Linuxx86 executable: I could uuencode it, and mail it to my buddies. And it would never survive, because my buddies have the training not to run an executable coming from an unknown source (point 3), and because many tipical Unix mail clients (pine, mutt, ...) do not give you any facility for one-touch uudecoding and running of random crap of unknown origin (point 1).

To answer asqui: The problem is one of expectations. An end user does usually not expect actions taken in his mail user agent to be dangerous, and thus is not expecting his 'Preview mail' to actually result in mail bombing everybody in his contact list, replacement of all his mp3s and JPEGs with viral code, or all of his data being stolen.

Making this happen by default in order to support an operation that should be uncommon (executing non-authenticated code recieved through e-mail, the equivalent of lending your machine to a stranger for a day, without supervision) is in my opinion bad user interface design.

Guns are commonly designed with safety catches; if we were selecting a gun to give to everybody, I assume we would pick one with a safety catch, even though the catches aren't strictly necessary if the user is careful. We should go to at least the same level of protection for MUAs; though the consequences usually are less severe with a mailer mishap,
guns are, after all, designed to kill, while this is (hopefully) not a common design goal for MUAs. Thus, we can expect people to be somewhat more careful around guns than they would be around MUAs.

If I was to support executing content directly from the MUA at all, I would have done the following things to restrict damage:

Default to not running executable content on double-click, instead displaying a requester telling about the dangers of executing code on your machine, about the ease of forging e-mail, that firewalls will not protect you against this, and of where the user can change the preferences to allow execution.

Allow execution with or without a warning each time execution is attempted (after the above option has been changed to allow it at all.) I'd probably do this by allowing execution of the executable that triggered the last warning before enabling of execution, but coming up with a warning (with a disable button) each time afterwards (until the user disable the requester.)

Allow execution in a sandbox, where the executing program does not get write access or access to create outbound network connections, and the output from the program is displayed in a controlled fashion, avoiding spoofing for passwords and similar.

(If possible) Allow execution with other types of lowered access, e.g. popping up a requester before allowing writes to proceed.

This isn't enough to give perfect security, but it creates a much safer environment, and one where users are automatically taught about the dangers of their actions. The cost is at two levels - the user that actually know what she is doing lose 30 seconds disabling the protection, and the implementor of the program lose time implementing the security features.

I think this is a reasonable cost, and that not taking it is irresponsible.

Date: Wed, 10 May 2000 19:07:34 -0400 (EDT)
From: XXXX XXXXXX XXXXX
To: XXXXXX X XXXXX
Cc: geekhumor@umich.edu
Subject: Re: ILOVEYOU
Sorry, the user of this machine is infected by the IMNOTREADYFORACOMMITMENT
virus, and is therefore incapable of responding appropriately to your
thoughtful message. Unlike software viruses, IMNOTREADYFORACOMMITMENT is a
wetware virus, transmitted by the Y chromosome. Those stricken by the dreaded
IMNOTREADYFORACOMMITMENT virus cannot be helped by standard interventions such
as anti-virussoftware. Completely reformatting these haplessindividuals
might work, but unfortunately there are no safe, reliable methods for doing so
at this time. There is some evidence that the IMNOTREADYFORACOMMINTMENT virus
might go into remission after 10 to 60 years of torturing its host. Good bye,
good luck disinfecting your computer, and be thankful that you do not carry
the dreadful Y chromosome!
On Wed, 10 May 2000, XXXXXX X XXXXXX wrote:
>
> kindly check the attached LOVELETTER coming from me.

Update: some of the virus specialists at my site read the copy of this I cc-ed to geekhumor@umich.edu and wanted my permission to reproduce it on the Virus Humor webpage... though they were a little worried some m0r0n would read it and write in asking how to protect themselves against IMNOTREADYFORACOMMITMENT. My advice with respect to protection against this sort of thing is to scan a guy carefully before you insert him.